Pwn2Own 2012: Google Chrome browser sandbox first to fall

[Ayanami]

https://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-sandbox-first-to-fall/10588


Exploit writers at VUPEN take special pleasure in attacking Google’s Chrome browser, using a pair of zero-day flaws to defeat the browser’s heralded sandbox.

 

[HeffeD]

Another article.

CanSecWest Pwnium: Google Chrome hacked with sandbox bypass | ZDNet

VUPEN are no newcomers to bypassing the sandbox. VUPEN Vulnerability Research Demo / VUPEN 0-Day Exploit for Google Chrome (Sandbox/ASLR/DEP Bypass)

 

[Jack]

Well that was fast.......I can bet that the guys from VUPEN exploited again the Adobe Flash plugin .....
I for one see this type of contests more as of a show than a actual 'possible threat' for my system but nevertheless VUPEN manage to exploit the Chrome Sandbox.

 

[HeffeD]

I don't think it was exploiting Flash, because that was what their previous exploit did and Google didn't count it as an exploit because it was exploiting third-party code. But again, VUPEN isn't really divulging their secrets. Like last time, they're trying to make money off the whole thing. Keeping the details to sell to 'their customers'... In other words, they aren't doing it to help make Chrome a better browser.

The second article I find more interesting. Instead of breaking out of the sandbox like the VUPEN exploit, this one just goes around the sandbox entirely. It also didn't use a zero-day exploit like the VUPEN example. Google was also very impressed, which is why they gave the guy $60,000.

 

[Hungry Man]

lol

" ”It was a use-after-free vulnerability in the default installation of Chrome,” he said. “Our exploit worked against the default installation so it really doesn’t matter if it’s third-party code anyway.”"

Translation: Flash use-after-free + design flaw just like last time? I wouldn't be surprised.

"“The Chrome sandbox is the most secure sandbox out there. It’s not an easy task to create a full exploit to bypass all the protections in the sandbox. I can say that Chrome is one of the most secure browsers available.”"

No code is perfect. Chrome getting hacked was only a matter of time. Whether we see these in the wild or not - completely different story.

 

[Prorootect]

From the first topic's link: '“This just shows that any browser, or any software, can be hacked if there is enough motivation and skill,” he added.' - emphasis mine.

'No code is perfect. Chrome getting hacked was only a matter of time. Whether we see these in the wild or not - completely different story.' - Totally agree with you, Hungry Man.

And PS. Look on Adobe Flash Player last update - check link in our topic: Adobe Flash Player new version check (in 'Maintenance and tweaking' section) : http://malwaretips.com/Thread-Adobe-Flash-Player-new-version-check

 

[jamescv7]

I've remember before when those guys attempted to exploit the sandbox and it was pwned however Google Engineers stated its only a flash player bug thing that was successfully exploited.

 

[HeffeD]

Even if it was Flash that they exploited, that isn't important. What is important is that they were able to make code running in the sandbox break out of the sandbox. And all the user had to do was visit a webpage...

However, being based on zero day exploits, I don't expect the problem to last very long, even if VUPEN isn't willing to release details about what they actually did.

As I already mentioned, I'm more concerned about the second exploit mentioned that doesn't use a zero day exploit, instead, directly targeting the Chrome code. And doesn't need to break out of the sandbox because it completely avoids the sandbox. Of course, this guy is giving the specifics to Google, so it will be quickly fixed.

Either way you look at it, it still makes more sense to me to run Chrome inside a sandbox instead of merely relying on the browsers protection to keep you safe. This way the hacker must design code to break out of two sandboxes. Chrome's, and whatever else you happen to be running.

 

[Hungry Man]

Sandbox bypasses happen. Sergey has found more than this one in the past and he's said that of the bugs he's found very few are sandbox bypasses.

@Heffy,

Both are 0day exploits. One is use-after-free and one is universal-xss.

The idea of the sandbox is not to implement perfect security, it is to drive up the costs of exploits. Instead of one exploit to infect the system you need two.

 

[HeffeD]

Both are 0day exploits. One is use-after-free and one is universal-xss.

Must have missed that. Thanks.

The idea of the sandbox is not to implement perfect security, it is to drive up the costs of exploits. Instead of one exploit to infect the system you need two.

I think the idea of the sandbox is to implement perfect security. (or at least as close as possible to perfect) The idea being, anything in the sandbox stays in the sandbox. Do you have a different take on this?

 

[Hungry Man]

I do. Here's a nice paper on the Windows sandboxes:
http://media.blackhat.com/bh-eu-11/Tom_Keetch/BlackHat_EU_2011_Keetch_Sandboxes-WP.pdf

"To decrease the value of the target, one option for would be to decrease the value of assets
accessible from the target application. This is where sandboxes are useful, because they place
the most exposed parts of the target application in a separate protection domain to that of the
user and provide the target application with a minimal level of access to a user’s assets."


Basically, the general idea of a MAC sandbox like the ones we see on Windows is to force hackers to need 2 exploits instead of 1 - driving up the cost of the exploits.

Sandboxes can't provide 100% security. They just aren't meant to. They protect the system from unauthorized access etc but there's a multitude of exploits that don't need system access (think xss.)

 

[HeffeD]

Sandboxes can't provide 100% security. They just aren't meant to. They protect the system from unauthorized access etc but there's a multitude of exploits that don't need system access (think xss.)

Sorry, for the misunderstanding.

I did insert the lighthearted winking emoticon, but it didn't get my point across. Perhaps I should have worded it differently. How is this?

My idea of the sandbox is perfect security. Meaning, anything spawned in there can have no affect on your actual system. Would you prefer less when it comes to sandbox design?

I suspect most peoples idea of the sandbox is perfect security. Sandboxing software is making great strides towards this goal. I realize it has a long way to go yet, and will never be 100%, but I have hopes it will eventually be as close to perfect as you can get.

 

[Hungry Man]

I suppose it depends on the sandbox. The sandbox that comes closest to what could be considered perfect security IN THAT it provides complete separation of the sandboxed and unsandboxed contents of a system would be the Linux SECCOMP Chrome Sandbox.

The reason that sandbox is so capable is because it goes beyond file access/ sockets and actually whitelists API calls as well. That's a very powerful sandbox.

Even that sandbox, which could be considered as "perfect" as any sandbox can be, is not perfect security.

In that sandbox there could still be an XSS vulnerability that allows a users session to be hijacked. Is the system compromised? Not necessarily - but the hack is performed and if the information the hacker requires is within the sandbox they can get it. Sandboxing addresses XSS only to an extent.

Sandboxing makes no attempt to address issues like cracking SSL with SSLStrip etc, and really it shouldn't. That's not what it's for.

I think that, given the current threat landscape, which is made up of primarily socially engineered malware/ exploits that drop payloads that try to actually infect the system sandboxing is the most effective means of protection. Threats change, we'll see hwo things turn out.

 

[Jack]

24 hours later the vulnerabilities are patched....fast...very fast....

Google patches Chrome flaw in 24 hours

The day after Google's Chrome browser was successfully hacked twice at this year's CanSecWest security conference in Vancouver, British Columbia, Google pushed out a patch to fix the flaw that made one of the hacks possible — the second Chrome update in three days.

"Congratulations again to community member Sergey Glazunov for the first submission to Pwnium!" wrote Chrome developer Jason Kersey on the official Chrome blog. "Ch-ch-ch-ch-ching!!! $60,000."

Read more : http://www.msnbc.msn.com/id/46681561/ns/technology_and_science-security/#.T1o_xzGcCGt

 

[Hungry Man]

Google does have an impressive track record for patch-time. Sergey Glazunov is also likely cooperating in full with the patch, he's done so before.

 

[jamescv7]

Beside on its enhancement provided by Chrome its really good to see on how minor and major bugs were fixed immediately thus the expose of vulnerability isn't widespread.